openconfig · morrowc · May 6, 2026 · May 6, 2026 · May 6, 2026 · May 6, 2026
@@ -1,4 +1,4 @@
-# Authz: General Authz (1-4) tests
+# Authz: General Authz tests
 
 ## Summary
 
@@ -347,8 +347,12 @@
   1. Use `gNSI.Rotate` method to push and finalize policy `policy-normal-1`, with `create_on` = `100` and `version` = `policy-normal-1_v1`.
   2. Ensure all results match per the above table for policy `policy-normal-1`.
 
-* TODO: Authz-1.5, "Test principle prefix and suffix match"
-  * Test the behavior of [prefix and suffix match on principles](https://github.com/grpc/proposal/blob/eb0d8fcc93820d3039ac851f8a36bdf2554cab6a/A43-grpc-authorization-api.md?plain=1#L73-L74)
+* Authz-1.5, "Test principle prefix and suffix match"
+  1. Use `gNSI.Rotate` method to push and finalize policy `policy-prefix-suffix-match`, with `create_on` = `100` and `version` = `policy-prefix-suffix-match_v1`.
+  2. Ensure all results match per the following:
+      * All users matching `spiffe://test-abc.foo.bar/xyz/*` (prefix match) are allowed to issue `gNMI.Get` method.
+      * Only users matching `*admin` (suffix match, e.g., `cert_user_admin`) are allowed to issue `gRIBI.Get` method.
+      * Other users are denied to issue `gRIBI.Get` method.
 
 ### Authz-2, test rotation behavior
 

@@ -314,6 +314,39 @@ func TestAuthz1(t *testing.T) {
 		// Verify all results match per the above table for policy policy-normal-1
 		verifyAuthTable(t, dut, authTable)
 	})
+
+	t.Run("Authz-1.5, Test principle prefix and suffix match", func(t *testing.T) {
+		// Pre-Test Section
+		_, policyBefore := authz.Get(t, dut)
+		t.Logf("Authz Policy of the Device %s before the Rotate Trigger is %s", dut.Name(), policyBefore.PrettyPrint(t))
+		defer policyBefore.Rotate(t, dut, uint64(time.Now().Unix()), fmt.Sprintf("v0.%v", (time.Now().UnixNano())), false)
+
+		// Fetch the Desired Authorization Policy and Attach base Admin Policy Before Rotate
+		newpolicy, ok := policyMap["policy-prefix-suffix-match"]
+		if !ok {
+			t.Fatal("Policy policy-prefix-suffix-match is not loaded from policy json file")
+		}
+		newpolicy.AddAllowRules("base", []string{*testInfraID}, []*gnxi.RPC{gnxi.RPCs.AllRPC})
+		// Rotate the policy.
+		newpolicy.Rotate(t, dut, uint64(100), "policy-prefix-suffix-match_v1", false)
+
+		// Verification
+		for certName, spiffe := range usersMap {
+			t.Run(fmt.Sprintf("Verification of gNMI Get for %s (prefix match)", certName), func(t *testing.T) {
+				authz.Verify(t, dut, &spiffe, gnxi.RPCs.GnmiGet, &authz.HardVerify{})
+			})
+
+			if certName == "cert_user_admin" {
+				t.Run("Verification of gRIBI Get for admin (suffix match)", func(t *testing.T) {
+					authz.Verify(t, dut, &spiffe, gnxi.RPCs.GribiGet, &authz.HardVerify{})
+				})
+			} else {
+				t.Run(fmt.Sprintf("Verification of gRIBI Get for %s (should be denied)", certName), func(t *testing.T) {
+					authz.Verify(t, dut, &spiffe, gnxi.RPCs.GribiGet, &authz.ExceptDeny{}, &authz.HardVerify{})
+				})
+			}
+		}
+	})
 }
 
 // Authz-2, Test rotation behavior

@@ -3,5 +3,5 @@
 
 uuid:  "a5c2d46c-976b-41bd-9fae-3341ce5c1b29"
 plan_id:  "Authz"
-description:  "General Authz (1-4) tests"
+description:  "General Authz tests"
 testbed:  TESTBED_DUT
@@ -225,4 +225,31 @@
         }
       }
     ]
+  },
+  {
+    "name": "policy-prefix-suffix-match",
+    "allow_rules": [
+      {
+        "name": "prefix-match-xyz",
+        "source": {
+          "principals": [
+            "spiffe://test-abc.foo.bar/xyz/*"
+          ]
+        },
+        "request": {
+          "paths": ["/gnmi.gNMI/Get"]
+        }
+      },
+      {
+        "name": "suffix-match-admin",
+        "source": {
+          "principals": [
+            "*admin"
+          ]
+        },
+        "request": {
+          "paths": ["/gribi.gRIBI/Get"]
+        }
+      }
+    ]
   }]